The code for Ledger Recover should never be part of the universal firmware. They should never have developed it. But since they did, it should have received its own separate firmware. That way, you would have the standard firmware without Ledger Recover and a special one with Ledger Recover. Each user could decide which way to go, but they didn't do that.
You missed a step: the possibility should never have been built into the hardware. But it's very convenient for them to try and hook millions of existing customers, instead of selling a separate device to leak private keys online.